5 Lessons learned from CISSP and ISO training courses

5 Lessons learned from CISSP and ISO training courses

Five key lessons learned for those wishing to embark on a training and a certification journey

Information Security professionals seek to obtain a professional certification to better display their knowledge and their expertise in those landmark credentials. Employers and clients do not feel being sufficiently qualified to validate the expert’s competences in Information Security and in Cybersecurity.

Various questions are often raised in relation to the most adequate training and certification. I have founded Information Security certification (academy.atayapartners.com and exed.solvay.edu/IT), co-created CISM in 2002. A world recognised certification (ISACA.org/cism), acted as one of the first European CISSP trainer in 2001. Every year tens of experts from various classes that I organise (academic and professional) graduate and get certification.

A training for studying CISSP or SIO 27001 Lead Auditor or Lead implemented is an essential step to gather the necessary knowledge and to prepared for the multiple-choice examination.

Attending a training week may be costly, tedious if ill planned. A cheaper alternative is to self-study based on books or online resources. However, this apparently cheap option may eventually become much more time consuming and probably less effective.

The difficulty of a self-Study is to remain well focused and to structure the dedicated study time in an optimal way. Even when attending a full time training, typically over a week, one should consider spending another week in self-study and rehearse of various domains of knowledge. This also consist in browsing the net and researching additional resources on advanced topics.

On-line education is another option. It involves audio, video, projection of slides and references to links and downloadable material. Some offers include human mentoring by a trainer in live interaction delivered to group of online participants. This paced approach helps in aligning the effort with a structured study plan.

Another option involves access to stream or video presentations that could be attended on one’s own pace and could be repeatedly viewed until completely digested. 

No single option offers the guarantee of a passing score. The successful outcome depends on the initial aptitude of the participant as well as on her capability to acquire the necessary knowledge during and after the training period. Some have to retake to the exam after a failed outcome.

Many other professional trainings promote themselves as guaranteed success, but hidden under the asterix it says *In case of exam failure you can re-enrolled for free and repeat the course*. This comes to a cost, another week of training that was not in the schedule.

If we look at the financial aspects, a typical cost of a training week is 3500€, in addition to a potential loss of revenue caused by the absence from work or loss of invoiced consulting days. The payback is regularly estimated to less than one year. The revenue increase for a CISSP holder, or the consulting rate increase, should allow to amortize this initial investment in less than ten working months, provided the certificate holder is able to capitalize and to promote his/her additional aptitudes.

Here are some of my bottom line advicefor those who plan to embark on a CISSP or an ISO27001 training and certification:


  1. Don’t register before checking the credentials of the trainer. It may make the whole difference to get expert trainer advises and knowledgeable insights on each one of the domains and study topics.
  2. Identify those domains of weakness and the domains of strengths that you have and decide where should you spend your extra effort to ensure a successful average score.
  3. Avoid those training supermarkets that offer international visibility to their training through web commerce page but lack local expertise. Avoid having a junior one man show, slide-flippers trainer.
  4. Visit major credential owners pages and check the franchised trainers they recommend, but also identify a potential gem near you: a trainer who offers his/her devotion and who is committed to transform you into a genuine expert, by sharing war stories, templates and links, as well as insights and tools.
  5. The most important take away from a credential is not a certificate holding your name but a knowledge and a reputation that you acquire. Success is not the result of having remembered the right buzz words at the exam, but the perspective of resolving complex challenges in information security management career.


I had the privilege to build an executive education study in Information Security and Cybersecurity at a renowned Business School. I relied on the bodies of knowledge of both CISSP and ISO 27001 as well as other resources. We could offer to our participants the luxury of having one expert speaker for each topic, calling on tens of specialist speakers. We managed to deliver case base lecture, alternative education methodologies, and a business school model of education enabling our participants to succeed the credential examination, in addition to the Business School certification.

At Ataya Partners Academy we make sure to provide you the best learning environment, you can check our next courses here.

Georges Ataya is Professor at Université Libre de Bruxelles and academic director at Solvay Brussels School. He founded in 2001 what became today the Digital Governance and trust education. He founded in 2005 the Secure Application Development yearly training, Co-created the body of knowledge for the CISM and CGEIT credentials (ISACA) and co-founded the Belgian Cybersecurity Coalition. Georges acted in early 1990’s as member of the Infosec Advisory Group supporting the European Commission strategy in Information Security (IBAG). He acted as International Vice President of ISACA and the IT Governance Institute (2005-2010). Georges participated in the development of various version of COBIT, IT Governance Framework.

Join the Ataya Partners Community on Linkedin.